[Freeipa-devel] [PATCH] 910 fix memberof for privileges

Rob Crittenden Tue, 06 Dec 2011 11:28:47 -0800

Some privileges were being created after the permissions that werepointing to it causing the memberof to not be generated.

This patch reorders things for new installs and creates a PBAC memberoftask that will correct an upgrade.

rob

>From 259710708eda0e31ac3a048884bf678eb4bd0e74 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 6 Dec 2011 14:01:46 -0500
Subject: [PATCH] Reorder priviledges so that memberof for permissions are
 generated properly.

The privilege was added after the permission causing the memberof to not
be generated.

Add a new task to regenerate memberof for existing PBAC to fix upgrades.

https://fedorahosted.org/freeipa/ticket/2058
https://fedorahosted.org/freeipa/ticket/2059
https://fedorahosted.org/freeipa/ticket/2060
https://fedorahosted.org/freeipa/ticket/2061
---
 install/updates/40-delegation.update   |   41 +++++++++++++++----------------
 install/updates/55-pbacmemberof.update |   10 +++++++
 install/updates/Makefile.am            |    1 +
 3 files changed, 31 insertions(+), 21 deletions(-)
 create mode 100644 install/updates/55-pbacmemberof.update

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index a852ba4..cd5b498 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -18,6 +18,12 @@ dn: $SUFFIX
 add:aci: '(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,$SUFFIX"; )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
 
 # Host-Based Access Control
+dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: HBAC Administrator
+default:description: HBAC Administrator
 
 dn: cn=Add HBAC rule,cn=permissions,cn=pbac,$SUFFIX
 default:objectClass: groupofnames
@@ -82,13 +88,6 @@ default:objectClass: top
 default:cn: Manage HBAC service group membership
 default:member: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
 
-dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
-default:objectClass: nestedgroup
-default:objectClass: groupofnames
-default:objectClass: top
-default:cn: HBAC Administrator
-default:description: HBAC Administrator
-
 dn: $SUFFIX
 add:aci: '(target = "ldap:///ipauniqueid=*,cn=hbac,$SUFFIX";)(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)'
 add:aci: '(target = "ldap:///ipauniqueid=*,cn=hbac,$SUFFIX";)(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)'
@@ -102,6 +101,13 @@ add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn
 
 # SUDO
 
+dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: Sudo Administrator
+default:description: Sudo Administrator
+
 dn: cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX
 default:objectClass: groupofnames
 default:objectClass: ipapermission
@@ -165,13 +171,6 @@ default:objectClass: top
 default:cn: Manage Sudo command group membership
 default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
 
-dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
-default:objectClass: nestedgroup
-default:objectClass: groupofnames
-default:objectClass: top
-default:cn: Sudo Administrator
-default:description: Sudo Administrator
-
 dn: $SUFFIX
 add:aci: '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)'
 add:aci: '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)'
@@ -184,6 +183,13 @@ add:aci: '(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,$SUFFIX";)(version 3.0
 add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,$SUFFIX";)'
 
 # Password Policy
+dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: Password Policy Administrator
+default:description: Password Policy Administrator
+
 dn: cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX
 default:objectClass: groupofnames
 default:objectClass: ipapermission
@@ -226,13 +232,6 @@ default:objectClass: top
 default:cn: Modify Group Password Policy
 default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
 
-dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
-default:objectClass: nestedgroup
-default:objectClass: groupofnames
-default:objectClass: top
-default:cn: Password Policy Administrator
-default:description: Password Policy Administrator
-
 dn: $SUFFIX
 add:aci: '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)'
 add:aci: '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)'
diff --git a/install/updates/55-pbacmemberof.update b/install/updates/55-pbacmemberof.update
new file mode 100644
index 0000000..bc17f56
--- /dev/null
+++ b/install/updates/55-pbacmemberof.update
@@ -0,0 +1,10 @@
+#
+# This needs to come later in the cycle otherwise the DN sorting is going
+# to cause it to execute before the member attributes are added
+dn: cn=Update PBAC memberOf $TIME, cn=memberof task, cn=tasks, cn=config
+add: objectClass: top
+add: objectClass: extensibleObject
+add: cn: IPA PBAC memberOf $TIME
+add: basedn: 'cn=privileges,cn=pbac,$SUFFIX'
+add: filter: (objectclass=*)
+add: ttl: 10
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 5cf4309..cc71176 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -27,6 +27,7 @@ app_DATA =				\
 	50-hbacservice.update		\
 	50-nis.update			\
 	50-ipaconfig.update		\
+	55-pbacmemberof.update		\
 	$(NULL)
 
 EXTRA_DIST =				\
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 910 fix memberof for privileges

Reply via email to